Re: Queues and state
Hi, I'm using state-policy if-bound. if-bound states are bound to interface so you need to add just one rule to your setup. set state-policy if-bound pass in quick on $int_if from to any keep state queue unlimited_in If you want to queue incoming traffic from users then you set limit on $ext_if.Outgoing traffic should be set to $int_if Cheers Tihomir http://koychev.com spamassassinexception - Original Message From: Russell Fulton <[EMAIL PROTECTED]> To: packet fiter Sent: Tuesday, January 29, 2008 2:54:43 AM Subject: Queues and state Hi Folks We have been using pf on our campus firewall for many years now and are now looking at adding some queueing. I know that one can only queue on the outbound interface. We want to queue traffic in both directions so we have to have two queues one on the external interface to queue outbound traffic and one on the internal interface to queue the incoming traffic. So far so good. What has me a little confused is how best to handle sessions with state. we have a rule: pass out quick on $ext_if from to any keep state queue unlimited_out where unimited_out is defined as applying to $ext_if. We have defined a queue unlimited_in on $int_if but what is the best way to assign the traffic to it? After reading the docs I conclude that I should change the state policy to if_bound and add pass out quick on $int_if from to any modulate state queue unlimited_out Is this the best way to do it? Thanks, Russell
Re: protocol in rules
Hi,
The faster way is to add quick to you rule, don;t worry of you have large
ruleset pf is fast enough.
You can skip "keep state" keyword.Now it is default in 4.1 and 4.2
>>one other question: Will pfctl expand port != {53, ...} ?
Yes it will
http://www.openbsd.org/faq/pf/macros.html
cheers
Tihomir
koychev.com
- Original Message
From: Russell Fulton <[EMAIL PROTECTED]>
To: pf@benzedrine.cx
Sent: Monday, January 14, 2008 5:24:59 AM
Subject: protocol in rules
Hi Folks
I am making what I thought would be a straight forward change to a
rule set but one that turns out to be non trivial after all.
existing rules:
block out on $ext_if any
... (there are a few block quicks etc here
pass out quick on $ext_if from to any keep state
Which allows outbound access to addresses in the table .
Now I want to block outbound access to port 53 (udp & tcp) *by
default*. I.e. if there are subsequent pass rules for port 53 then
they should apply.
The problem is that as soon as I specify a port I then have to specify
a protocol (either tcp or udp) so I can modify the above rule
pass out quick on $ext_if proto {udp,tcp} from any to any port != 53
keep state
But now how do I allow all the other protocols ? I can enumerate the
common ones but this is untidy and error prone.
I really want quick on this rule since it is the most used rule in a
large (several hundred rules) ruleset.
Any suggestions?
one other question: Will pfctl expand port != {53, ...} ?
Russell
Re: cbq not borrowing fully from parent queue
If there something we miss pleas correct us.Everything is write in
pf.conf(8). So
queue highqbandwidth 360Kb priority 3 cbq(borrow)
if there is some traffic on this queue cbq must reserv 360Kb even if
real transfer is 1Kb.Priority is something else.
--- Wes Santee <[EMAIL PROTECTED]> wrote:
> Tihomir Koychev wrote:
> > Hi
> > I have same problem with cbq and start using hfsc. Now i use both
> of
> > them. My experience with cbq show me that parent queue must be
> large
> > than you want.If you Have 1Mb line declare it like 1.2Mb or 1.4Mb
> but
> > do not assign extra bandwidth you add.
> >
> > --- Wes Santee <[EMAIL PROTECTED]> wrote:
> >
> >> Wes Santee wrote:
> >>> altq on $ext_if bandwidth 54Mb cbq queue { internal, external }
> >>> queue internal bandwidth 53104Kb priority 7 cbq(borrow)
> >>> queue external bandwidth 896Kb priority 4 cbq { highq, defaultq,
> >> lowq }
> >>>queue highqbandwidth 40% priority 3 cbq(borrow)
> >>>queue defaultq bandwidth 40% priority 2 cbq(default borrow)
> >>>queue lowq bandwidth 20% priority 1 qlimit 300 cbq(borrow)
> >>>
>
> Tihomir Koychev wrote:
> > queue external bandwidth 1200Kb priority 4 cbq { highq, defaultq,
> > lowq }
> > queue highqbandwidth 360Kb priority 3 cbq(borrow)
> > queue defaultq bandwidth 360Kb priority 2 cbq(default borrow)
> > queue lowq bandwidth 180Kb priority 1 qlimit 300 cbq(borrow)
> >
> > Try this
> >
> > If someone have other ideas let us know.
> >
>
> Thanks for the tip. I've tried it out, and there is some marginal
> improvement. But as you've probably noticed, it's still not ideal.
> I've also asked about this on the FreeBSD pf mailing list, but had no
> response there either. Either everyone is laughing at us in private
> because we're missing some fundamental property of cbq, or we've
> stumped
> the pf guru's. :)
>
> Cheers,
> -Wes
>
>
www.BetStrikes.com - futbolni prognozi Ôóòáîëíè ïðîãíîçè
Re: cbq not borrowing fully from parent queue
Hi
I have same problem with cbq and start using hfsc. Now i use both of
them. My experience with cbq show me that parent queue must be large
than you want.If you Have 1Mb line declare it like 1.2Mb or 1.4Mb but
do not assign extra bandwidth you add.
--- Wes Santee <[EMAIL PROTECTED]> wrote:
> Wes Santee wrote:
> > [snip]
> > The setup from pf.conf is this:
> >
> > altq on $ext_if bandwidth 54Mb cbq queue { internal, external }
> > queue internal bandwidth 53104Kb priority 7 cbq(borrow)
> > queue external bandwidth 896Kb priority 4 cbq { highq, defaultq,
> lowq }
> >queue highqbandwidth 40% priority 3 cbq(borrow)
> >queue defaultq bandwidth 40% priority 2 cbq(default borrow)
> >queue lowq bandwidth 20% priority 1 qlimit 300 cbq(borrow)
> >
queue external bandwidth 1200Kb priority 4 cbq { highq, defaultq,
lowq }
queue highqbandwidth 360Kb priority 3 cbq(borrow)
queue defaultq bandwidth 360Kb priority 2 cbq(default borrow)
queue lowq bandwidth 180Kb priority 1 qlimit 300 cbq(borrow)
Try this
If someone have other ideas let us know.
> > The internal queue is for wireless traffic coming from and going to
> the
> > internal network. The external queue (and its children) are for
> traffic
> > going upstream to my ISP. The "external" queue is set to my max
> > upstream bandwidth to my ISP, so it can't borrow from the root
> queue.
> > All the child queue's under "external" can (and should) borrow
> against
> > the available upstream bandwidth amount if available.
> >
> > The problem is that packets in lowq are filling up the queue, even
> > though there is plenty of bandwidth available to borrow from the
> parent
> > queue.
>
> Here's some additional details that may help. Note in my original
> e-mail I said that the "external" queue cannot borrow from the root
> queue, as I can't transmit data any faster than 896Kbit/sec to my
> ISP.
>
> However, if I change the external queue to enable borrowing, ala:
>
> altq on $ext_if bandwidth 54Mb cbq queue { internal, external }
> queue internal bandwidth 53104Kb priority 7 cbq(borrow)
> queue external bandwidth 896Kb priority 4 cbq(borrow) { highq,
> defaultq,
> lowq }
>queue highqbandwidth 40% priority 3 cbq(borrow)
>queue defaultq bandwidth 40% priority 2 cbq(default borrow)
>queue lowq bandwidth 20% priority 1 cbq(borrow)
>
> things start painting a very different picture (note I eliminated the
> qlimit keyword also for testing purposes). "pfctl -vvsqueue" now
> gives us:
>
> queue internal bandwidth 53.10Mb priority 7 qlimit 200 cbq( borrow )
> [ pkts: 0 bytes: 0 dropped pkts:0 bytes:
> 0 ]
> [ qlength: 0/200 borrows: 0 suspends: 0 ]
> [ measured: 0.0 packets/s, 0 b/s ]
> queue external bandwidth 896Kb priority 4 cbq( borrow ) {highq,
> defaultq, lowq}
> [ pkts: 0 bytes: 0 dropped pkts:0 bytes:
> 0 ]
> [ qlength: 0/ 50 borrows: 1285 suspends: 0 ]
> [ measured: 0.0 packets/s, 0 b/s ]
> queue highq bandwidth 358.40Kb priority 3 cbq( borrow )
> [ pkts: 0 bytes: 0 dropped pkts:0 bytes:
> 0 ]
> [ qlength: 0/ 50 borrows: 0 suspends: 0 ]
> [ measured: 0.0 packets/s, 0 b/s ]
> queue defaultq bandwidth 358.40Kb priority 2 cbq( borrow default )
> [ pkts: 2781 bytes:1226812 dropped pkts:0 bytes:
> 0 ]
> [ qlength: 0/ 50 borrows:180 suspends: 0 ]
> [ measured:17.5 packets/s, 66.61Kb/s ]
> queue lowq bandwidth 179.20Kb cbq( borrow )
> [ pkts: 5189 bytes:6068440 dropped pkts:0 bytes:
> 0 ]
> [ qlength: 0/ 50 borrows: 4341 suspends: 0 ]
> [ measured:40.9 packets/s, 398.70Kb/s ]
>
> Now the queue "lowq" is borrowing heavily from its parent queue
> (external) and the queue is not backing up even at the default of 50
> elements.
>
> The strange thing here is that the queue "external" now shows that it
> is
> borrowing from its parent (the root queue), although the amount of
> bandwidth going through its queue is never getting close to its max
> of
> 896Kbit (about the highest I've seen it go is ~700Kbit/sec).
>
> Can anyone explain what is going on? Why won't child queues enabled
> for
> borrowing not fully borrow from their parent if the parent is
> configured
> not to borrow from its parent?
>
> Cheers,
> -Wes
>
>
www.BetStrikes.com - futbolni prognozi Ôóòáîëíè ïðîãíîçè
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Hi
I have some suggestion below.
--- Chris Willis <[EMAIL PROTECTED]> wrote:
>
>
> -Original Message-
> From: Chris Willis
> Sent: Sunday, March 12, 2006 10:23 AM
> To: 'Melameth, Daniel D.'
> Subject: RE: Solution Request: I need to initiate outbound PPTP
> requests
> thru FreeBSD firewall
>
> This is what fwbuilder is creating.
>
>
> set limit { frags 5000, states 1 }
> set timeout adaptive.start 8000
> set timeout adaptive.end 1
> set optimization Normal
>
> #
> # Scrub rules
> #
> scrub in all fragment reassemble
> scrub out all random-id
>
> #
> # Rule 0 (NAT)
> # force mail server to NAT using same IP as incoming mail # nat on
> fxp0
> proto {tcp udp icmp} from 192.168.254.253 to any -> 64.62.37.227 # #
Rule 0
nat on fxp0 from 192.168.254.253 to any -> 64.62.37.22
> Rule 1 (NAT) # force outbound vpn traffic to source port 500 # nat
> on
> fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 ->
> 64.62.37.226
> port 500 # # Rule 2 (NAT) # NAT all 1928 LAN clients to an IP
> address
> on the external NIC # nat on fxp0 proto {tcp udp icmp} from
> 192.168.0.0/16 to any -> 64.62.37.226 #
nat on fxp0 from 192.168.0.0/16 to any -> 64.62.37.22
that enough for pptp & nat
pass in quick on $int_if proto gre from any to any keep state
pass in quick on $int_if inet proto tcp from any to any port = 1723
flags S/SA keep state
pass out quick on $ext_if proto gre from any to any keep state
I'm using OpenBSD 3.8 and above 3 rules are enough.By the way 3.8 do
not need to pass in/out gre proto.
Also check >sysctl net.inet.gre.allow
Rules are very hard to read.Try pf.conf with minimal ruleset.FWbuilder
seem to me have bug.
Best regards
Tihomir
># Rule 3 (NAT) # Port
> Forward
> services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
> 3389 -> 192.168.254.254 port 3389
>rdr on fxp0 proto tcp from any to
> 64.62.37.226 port 1723 -> 192.168.254.254 port 1723
>rdr on fxp0 proto
> udp from any to 64.62.37.226 port 500 -> 192.168.254.254 port 500 rdr
> on
> fxp0 proto 47 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
> proto 51 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
> proto
> 50 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto tcp
> from any to 64.62.37.226 port 22 -> 192.168.254.254 port 22 # # Rule
> 4
> (NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from
> any
> to 64.62.37.227 port 110 -> 192.168.254.253 port 110 rdr on fxp0
> proto
> tcp from any to 64.62.37.227 port 443 -> 192.168.254.253 port 443 rdr
> on
> fxp0 proto tcp from any to 64.62.37.227 port 3389 -> 192.168.254.253
> port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 ->
> 192.168.254.253 port 80 # # Rule 5 (NAT) # port forward to the store
> camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 ->
> 192.168.202.96 port 80 # # Rule 6 (NAT) # # rdr on fxp0 proto tcp
> from
> any to 64.62.37.226 port 23 -> 192.168.200.11 port 23 # # Rule 7
> (NAT)
> # # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 ->
> 192.168.200.38 port 11001 rdr on fxp0 proto udp from any to
> 64.62.37.229
> port 11001 -> 192.168.200.38 port 11001 # # Rule 8 (NAT) # # rdr on
> fxp0 proto tcp from any to 64.62.37.229 port 11002 -> 192.168.202.19
> port 21 # # Rule 9 (NAT) # # rdr on fxp0 proto tcp from any to
> 64.62.37.230 port 3389 -> 192.168.254.255 port 3389
>
>
> # Tables: (3)
> table { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
> 10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
> { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
> 64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
> { 192.168.0.0/16 , 66.134.48.170 }
>
> #
> # Rule 0 (fxp0)
> # anti-spoof rule for external interfaces #
> block in log quick on fxp0 inet from to any
> label
> "RULE 0 -- DROP "
> #
> # Rule 0 (lo0)
> # allow loopback to all - required to log onto box #
> pass in log quick on lo0 inet from any to any keep state label
> "RULE 0 -- ACCEPT "
> pass out log quick on lo0 inet from any to any keep state label
> "RULE 0 -- ACCEPT "
> #
> # Rule 0 (global)
> # deny bad combinations of TCP flags
> #
> block in log quick inet proto tcp from any to any flags U/UA
> label
> "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags RF/RF
> label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags RS/RS
> label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags SF/SF
> label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags
> UAPRSF/UAPRSF label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags /UAPRSF
> label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags
> UPF/UAPRSF
> label "RULE 0 -- DROP "
> block in log quick inet proto tcp from any to any flags
> UPSF/UAPRSF
> label "RULE 0 -- DROP "
Re: Challenge in doing per-protocol per-IP accounting with bridging.
This problems are frequently asked.There is simple solution, which is
not in PF itself.Use PF to do what he do best, to block and pass what
you want.
Visit http://www.mindrot.org/projects.html
Project pfflowd,flowd,softflowd are what is looking for.Capture traffic
with pfflowd or softslowd and sent it to flowd which filter and store
data.Use scripts in flowd project and store information in mSQL
database.Once you have everything in SQL you are done.
I use this with cacti.
Please contact me if someone want all scripts.
Cheers
Tihomir
--- Sven Ingebrigt Ulland <[EMAIL PROTECTED]> wrote:
> Keywords: openbsd 3.8, pf, accounting, per-protocol, per-ip, bridging
>
> I am in a bit of a mess trying to get this setup to work. The
> topology
> is as follows:
>
>
> Host Martin -\ >
> 217.218.45.80 \"local zone" < "internet zone"
>\ >
> \<
> Host Sven ---[switch]-[openbsd bridge] internet
> 217.218.44.209 //\
>/ sis1 sis0
> / 217.218.44.85
> Host Janne --/
> 217.218.44.208
>
>
> All IPs are public and working. I use bridging since I have only very
> few IPs available (and they are not in a continuous range, as you can
> see). The setup works very nicely and all, but when I want to do
> accounting, things aren't as easy as I expected.
>
> What I want to do is:
> - Accurately account for packets and bytes per client in and out
>between the local and internet zone, i.e. don't do accounting when
>SSH-ing from host Sven to the OpenBSD bridge for maintenance, etc.
>
> - Preferably account for each protocol (TCP, UDP, ICMP) per client.
>This is not a must, however.
>
> - Keep the firewalling capabilities intact.
>
> Now, if I understand correctly, with the mechanism of pf evaluating
> only the last matching rule, this presents some problems when it
> comes
> to accounting.
>
> This is the current ruleset:
>
> # pf.conf begins
> ext_if="sis0"
> int_if="sis1"
>
> host_martin="217.218.45.80"
> host_sven="217.218.44.209"
> host_janne="217.218.44.208"
>
> block in on $ext_if
> pass out on $ext_if
> pass in on $int_if
> pass out on $int_if
>
> pass in on $ext_if proto tcp to $host_janne port { 22 25 80 443 }
> keep state
> pass in on $ext_if proto { tcp udp } to $host_sven port { 5500 } keep
> state
> pass in on $ext_if proto { tcp udp } to $host_martin port 80 keep
> state
> # pf.conf ends
>
> To do accounting, I was thinking that I simply could add some labels
> to the rules and use pfctl -sl to fetch the counters. But because of
> the statefullness and the fact that only the last matching rule is
> evaluated, I fail to understand how to do it properly.
>
> For example, for client Sven, something along the lines of:
>
> pass out on $ext_if from $host_sven label "OUT-SVEN" keep state
> pass out on $ext_if proto tcp from $host_sven to any label
> "OUT-TCP-SVEN" keep state
> pass out on $ext_if proto udp from $host_sven to any label
> "OUT-UDP-SVEN" keep state
> pass out on $ext_if proto icmp from $host_sven to any label
> "OUT-ICMP-SVEN" keep state
>
> would (after pinging a host with 8 pings, which also includes a DNS
> lookup) give the following output from pfctl -sl:
>
> OUT-SVEN 22 0 0 0 0 0 0
> OUT-TCP-SVEN 3 0 0 0 0 0 0
> OUT-UDP-SVEN 3 2 166 1 109 1 57
> OUT-ICMP-SVEN 3 16 960 8 480 8 480
>
> This highlights a feature of 'last match wins', the OUT-SVEN label
> counters have not increased (only the evaluation counter, of course).
>
> What I could do is to label each rule and then calculate totals by
> summing each in/out counter, but with several firewall rules and
> per-port filtering, this would result in a terrible cludge.
>
> Do you have any idea of how this could be done differently?
>
> One idea I had was to introduce another action in the filtering
> section of pf.conf, a "dupe" or "eval" action that would evaluate the
> rule (exactly like 'pass quick') but also send the packet traversing
> the rest of the ruleset (like normal 'pass'). Together with labels,
> this would make it very easy to do accounting, e.g.
>
> eval out on $ext_if from $host_sven label "OUT-SVEN"
> eval out on $ext_if proto tcp from $host_sven to any "OUT-TCP-SVEN"
> eval out on $ext_if proto udp from $host_sven to any "OUT-UDP-SVEN"
> eval out on $ext_if proto icmp from $host_sven to any "OUT-ICMP-SVEN"
>
> As far as I understand, this is how the Linux netfilter + ipac-ng
> does
> evaluation, and I'm currently considering converting to that (though
> I
> don't want to).
>
> regards,
> sven
>
www.BetStrikes.com - futbolni prognozi Ôóòáîëíè ïðîãíîçè
RE: PF load balancing again...
Hi Since all interfaces have 192.168.x.x ips then are you sure whats are ips and netmasks ot you routers.If you routers have different netmask than yours. Please use pfctl -vsr and see what rules are evaluationed.Use pftop from ports to debug connections. Cheers Tihomir --- Jose Mejia <[EMAIL PROTECTED]> wrote: > > > >Down rule will work if your default gateway is on $ext_if > >pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to > any port > www keep state probability 50% > > > It doesn't work either, I didn't debug it, but it seems packets going > out > from ext_if2 are coming back to ext_if 1 too > The default gw is on ext_if > > > >Can you give >>ifconfig output and /etc/mygate Also try using pfctl > -vsr > and look whats going on on $ext_if and $ext_if2.What is last mathed > rule > etc.. > > mygate points to the router's attached to ext_if IP > > ifconfig -a output : > > lo0: flags=8049 mtu 33224 > inet 127.0.0.1 netmask 0xff00 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > em0: flags=8843 mtu 1500 > address: 00:e0:81:61:bc:cd > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::2e0:81ff:fe61:bccd%em0 prefixlen 64 scopeid 0x1 > em1: flags=8843 mtu 1500 > address: 00:e0:81:61:bc:cc > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.3.1 netmask 0xfff8 broadcast 192.168.3.255 > inet6 fe80::2e0:81ff:fe61:bccc%em1 prefixlen 64 scopeid 0x2 > rl0: flags=8843 mtu 1500 > address: 00:50:fc:42:fb:21 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 > inet6 fe80::250:fcff:fe42:fb21%rl0 prefixlen 64 scopeid 0x3 > em2: flags=8843 mtu 1500 > address: 00:0e:0c:76:d8:67 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255 > inet6 fe80::20e:cff:fe76:d867%em2 prefixlen 64 scopeid 0x4 > pflog0: flags=141 mtu 33224 > pfsync0: flags=0<> mtu 2020 > enc0: flags=0<> mtu 1536 > > > > >Cheers > >Tihomir Koychev > > www.BetStrikes.com - Ôóòáîëíè ïðîãíîçè
Re: PF load balancing again...
return-rst in log quick on $ext_if proto tcp
> from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> block in log quick on $ext_if2 inet from any to {255.255.255.255,
> 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp
> from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> #block return-rst in log quick on $int_if proto tcp from any to any
> port \
> #{111,1080, 6000, 6667, 139, 4662}
>
>
> #Bloqueo puertos
> block out log quick on $ext_if proto tcp from any to any port $capaos
> block
> out log quick on $ext_if2 proto tcp from any to any port $capaos
> #some
> port-blocking
>
> #proxy
> pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080
> keep
> state
>
> #ssh
> pass in log on $int_if inet proto tcp from any to 192.168.1.1 port
> ssh keep
> state pass in log on $int_if inet proto tcp from any to 192.168.2.2
> port ssh
> keep state #pass in log on $dmz_if inet proto tcp from $int_net to
> $dmz_host
> port ssh keep state
>
> lo0 pass quick on lo0 all
>
>
>
> Remember we want to balance the web outgoing traffic, generated by
> the Squid
> proxy in the same machine
>
> Thks in advance and greetings
>
> Jose M;
>
>
>
>
Can you give >>ifconfig output and /etc/mygate
Also try using pfctl -vsr and look whats going on on $ext_if and
$ext_if2.What is last mathed rule etc..
Cheers
Tihomir Koychev
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
Re: pf load balancing
Hi Can you post your pf.conf and output from ifconfig? --- Lucas <[EMAIL PROTECTED]> wrote: > i tried with it, but it works if i have a machine in the middle. like > this: > > > GW2 > LAN - obsd (load balancer with route-to) -- GW1 WAN > > > GW3 > > > i want something to work in this scenario: > > GW2 > LAN GW1 -- WAN >GW3 > > > can route-to do the work in this case? > > > Lucas > > > > ed wrote: > > >On Wed, 21 Sep 2005 17:05:23 -0300 > >Lucas <[EMAIL PROTECTED]> wrote: > > > > > > > >>i'm working with 3 gateways and want to load balance between them. > >>after a failure with layer 2 (carp arpbalance) balancing, i tried > to > >>do it with pf. > >> > >>the most logical way to do it is with a machine before the gateways > > >>distributing the load. > >>there's a way to do it without adding a new machine (and a new > point > >>of failure) to the set? > >> > >> > > > >Look into the route-to keyword > > > > > > > Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Re: Label-based accounting and keeping state won't mix.
--- Henning Brauer <[EMAIL PROTECTED]> wrote: > * Tihomir Koychev <[EMAIL PROTECTED]> > [2005-08-02 12:11]: > > > Does this mean that basic label-based IP > accounting > > > won't mix with > > > keeping state at all? > > no, states have a pointer back to the rule that > created it and update > the stats on it. > > > there is patch in current > > > http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c > > which allow counting in/out packets + in/out bytes > > from labels. > > that is ENTIRELY unrelated to the OPs question. and > the pfctl part is, > well, only a part of it, and the smaller one. > yes, sorry for this.I just want to point where can be read more about your work.Thanks for this wonderfull improvement. Best regards T.Koychev > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > OpenBSD-based Webhosting, Mail Services, Managed > Servers, ... > Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Label-based accounting and keeping state won't mix.
--- Sven Ingebrigt Ulland <[EMAIL PROTECTED]> wrote: > I'm keeping basic in/out IP accounting info using > labels. However, > consider this simple ruleset: > > > pass out keep state > > pass in on $int_if from $client1 to ! $localnet > label "Client1_out" > pass out on $int_if from ! $localnet to $client1 > label "Client1_in" > > > Of course, when keeping state, packets matching the > state effectively > skip the rest of the ruleset. According to > http://www.openbsd.org/faq/pf/filter.html#state>: > "[...] not only do packets going from the sender to > receiver match the > state entry and bypass ruleset evaluation, but so do > the reply packets > from receiver to sender." > > Does this mean that basic label-based IP accounting > won't mix with > keeping state at all? Please note that I cannot > simply count incoming > and outgoing packets/bytes on each interface, since > only routed > "internet" traffic should be accounted for -- not > traffic on the local > net, including between clients and the router > itself. > > > regards, > sven > there is patch in current http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c which allow counting in/out packets + in/out bytes from labels. If you use keep state, all directions are count, in/out pass in on $int_if from $client1 to ! $localnet label "Client1_out" $Client1_out 845 11941 5413693 6723 715196 5218 4698497 http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html -s labels Show per-rule statistics (label, evaluations, packets total, bytes total, packets in, bytes in, packets out, bytes out) of filter rules with la- bels, useful for accounting. Best regard T.Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: Help with HFSC and PF
--- Edgar <[EMAIL PROTECTED]> wrote:
> Hello, I was hoping someone could help me out with
> HFSC and pf, I'm sending my
> rules (pf.conf) in the body of this message (so
> anyone can see them), the
> problem here is that I have a queue rule called
> emule, and a queue rule
> default, both on $ext_if, and then I have a filter
> rule for all emule traffic
> defined by some ports, tcp and udp, I have also
> tried this same configuration
> from ports 4000 to 6000 with the same result, I
> don't know what I'm doing
> wrong, I believe all my rules are ok, but this is
> why I'm sending this email,
> to verify that everything is correct, hope someone
> can help me out, thank you
>
Ok.Can you describe what exactly want to do?
> Rules:
>
> #MACROS
>
>
> int_if="dc0"
> ext_if="rl0"
> int_net="192.168.0.0/24"
> NoRouteIps="{127.0.0.0/8, 192.168.0.0/16,
> 172.16.0.0/12, 10.0.0.0/8}"
> netbios="{ 137, 138, 139, 81 }"
81???
> p2pp="{6891 ,6892, 6893, 6894, 6895, 6896, 6881,
> 6882, 1214, 4662, 51432}"
> casa="{192.168.0.105, 192.168.0.104}"
> limite="10Mb"
> download="980Kb"
> upload="200Kb"
> emule="100Kb"
> EDKports="{4662, 4661, 4665, 4672}"
>
> ###
> #SCRUB
> ##
> scrub in all
>
>
###
> # Traffic control with HFSC
>
###
> altq on $int_if hfsc bandwidth $limite queue {
> download }
you don't need single queue
altq on $int_if hfsc bandwidth $limite queue {def,
samba,web}
avoid using name default for queue defination.
> queue download priority 0 bandwidth 99%
> hfsc(linkshare 99%) { default, samba,
> web }
> queue default priority 1 bandwidth $download
> hfsc(realtime 250Kb linkshare
> 800Kb upperlimit $download default)
> queue web priority 4 bandwidth $download qlimit 15
> hfsc( realtime 300Kb
> linkshare 800Kb upperlimit $download )
> queue samba priority 3 bandwidth 20% hfsc(
> realtime 50% linkshare 7Mb
> upperlimit $limite )
>
> altq on $ext_if hfsc bandwidth $upload queue {
> upload }
rewrite above
> queue upload priority 1 bandwidth $upload
> hfsc(linkshare $upload) { def,
> emule }
> queue def priority 10 bandwidth 10% qlimit 10
> hfsc(realtime 20% linkshare
> 10% upperlimit $upload default)
> queue emule priority 4 bandwidth $emule qlimit 10
> hfsc(realtime 10Kb
> linkshare 20Kb upperlimit $emule)
>
>
> #NAT RULES
> ###
> nat on $ext_if from $int_if:network to any ->
> ($ext_if)
>
> #
> # Reglas para mensajería y p2p
> #
I don't known what this mean :) write in english
> rdr on $ext_if proto tcp from any to any port $p2pp
> -> $casa
> rdr on $ext_if proto udp from any to any port {
> 4665, 4672 } -> $casa
>
what are those $casa 's?Why you use them?
> #
> #PACKET FILTERING
> #
>
>
#
> # Block all incoming traffic by default
>
#
> block in all
>
>
#
> # Shape web traffic ( test )
>
#
> pass quick on $int_if proto tcp from any to any port
> = 80 keep state
> queue( web )
pass in or out?
avoid using bracket queue ( ... )
>
> #-
> # Let all traffic in and out for loopback
> #-
> pass quick on lo0 all
>
> #---
> # Anti spoofing protection
> #---
> antispoof quick for $int_if inet
>
> #-
> # Accept SSH 8080
> #-
> pass in quick on $ext_if proto tcp from any to
> $ext_if port = 8080 flags S/SA
>
> #--
> # Accept connections from LAN
> #--
> pass quick on $int_if proto tcp from $int_net to
> $int_if port = 8080 keep
> state queue( ssh )
in or out?!?
> pass in on $int_if from $int_net to any
> pass in on $int_if from any to $int_net
> pass in quick on $int_if proto {tcp, udp} from any
> to any port $netbios keep
> state queue( samba )
>
you can optimeze above rules.Also note tha you can
shape only outgoing traffic.
> #---
> # Block norouteips
> #---
> block in on $ext_if from $NoRouteIps to any
> block out on $ext_if from any to $NoRouteIps
>
> #--
Re: source routing problem
--- Bernd Bednarz <[EMAIL PROTECTED]> wrote: > j knight schrieb: > > Bernd Bednarz wrote: > > > >> j knight wrote: > >> > >>> pass out on $dsl2 route-to ($dsl1 $gw1) from > $ip1 to any > >>> pass out on $dsl1 route-to ($dsl2 $gw2) from > $ip2 to any > >>> > >>> Why did you remove them? > >> > >> > >> because the reply-to rule make the same for me > and I don't need both > >> of them. When I ping the router on tun1 the > packets go trough tun1 > >> with the route-to oder reply-to and thatsway I > only have the one rule > >> reply-to > > > > > > I didn't mean for you to replace the reply-to > rules with route-to rules, > > but to have both pair. The route-to rules will > prevent exactly the > > problem you're seeing: packets leaving $if1 with a > source IP of $if2 > > (and vice-versa of course). > > OK, here we go, > > now my pf.conf look like this. > > -snip- > pppoe1="tun0" > pppoe2="tun1" > gw1="217.0.116.68" > gw2="217.0.116.67" > > supp_net="10.30.70.0/24" > admin_net="10.30.20.0/24" > > # optimize > set loginterface $pppoe1 > set optimization aggressive > try this line set state-policy if-bound > nat on $pppoe1 from $supp_net to any -> ($pppoe1) > nat on $pppoe1 from $admin_net to any -> ($pppoe1) > nat on $pppoe2 from $supp_net to any -> ($pppoe2) > nat on $pppoe2 from $admin_net to any -> ($pppoe2) > remove last 2 nat rules.you don't need them now > rdr on $pppoe2 proto tcp from any to $pppoe2 port 80 > -> 10.30.70.43 port 80 > > pass out on $pppoe1 route-to ($pppoe2 $gw2) from > $pppoe2 to any keep state > pass out on $pppoe2 route-to ($pppoe1 $gw1) from > $pppoe1 to any keep state > pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp > from any to $pppoe2 > port 80 keep state > -snap- pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp \ from any to 10.30.70.43 port 80 keep state > > But I think you didn't unstood what I said. The > route-to rules don't > catchs the packets wich come from 10.30.70.43 and I > don't know why. > Try this lines.Install pftop from ports, excellent tool for monitoring pf. Best regards T. Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Re: ALTQ: amount of queue rules
--- Matt Pearce <[EMAIL PROTECTED]> wrote: > Hi All, > > I'm about to start working on a few rules for QoS on > inbound TCP and was > wondering if someone could tell me if there is a > maximum of 15 queue's > total or whether I can have 15 rules per in and out > and/or 15 rules per > interface ?? I have had a look around all the > documentation and cant > seem to find a definitive answer so you help before > I go to much further > would be appreciated. > > Thanks, > > Matt. > maximum number of queues are in include files.For CBQ limit is 256, HFSC 64 per interface. Also you can use QoS only on outgoing interface. Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: load balancing outgoing traffic: 1st TCP connection RESET
--- Nikolay Kalev <[EMAIL PROTECTED]> wrote: > As soon as i know the NAT is done on the External > interface, so can he > just do nat on both external interfaces and isn;t > route to good to be > done on the internal interface rather then on the > external or something > similar ? > Hi Nikolay, I know that my english is f.g bad, but can you rewrite you answer.And may be read previous post. Best regards T.Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
performance: single ip in table Vs single ip
Hi
Simple question which rule is evaluated faster.
table const {192.168.0.2}
pass in quick on $int_if from to any
or
pass in quick on $int_if from 192.168.0.2 to any
I'm asking because tables store accounting for
ip/out packets + in/out bytes, which is perfect for
creating rrd's and graphs.
The second rule have sum of evaluations:packes:bytes,
without in/out.
Best regards
T.Koychev
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
__
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
Re: load balancing outgoing traffic: 1st TCP connection RESET
Hi --- Emilio Lucena <[EMAIL PROTECTED]> wrote: > I have the feeling that PF may be having problems > when it tries to > allocate source port during NAT process. It is just > a feeling, though. If As i think connection which is route-to second interface is NAT again, because NAT occur before filtering.So the re-routed packet arrive at second interface but now with ip address of first external interface $ext_ip1. There is a solution in the -current.Daniel sent a patch 2 month ago. http://marc.theaimsgroup.com/?l=openbsd-tech&m=110914533920883&w=2 > I new the answer, I would not be asking here, right? > May be because there is patch and problem is solved in mailing list no one answer. I start downloading scanpshot ot current and test this. If you success let me know. > Regards, > > Emilio > Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Re: load balancing outgoing traffic: 1st TCP connection RESET
--- Emilio Lucena <[EMAIL PROTECTED]> wrote:
> My guess is that this has something to do with TCP
> port allocation. At
> least, this seems to be the case when I try to use a
> similar rule for
> load-balancing ICMP traffic, like:
>
> pass out quick log-all on $ext_if1 route-to \
>{ ($ext_if1 ) , ($ext_if2 ) } \
>inet proto icmp keep state
>
> ICMP traffic originated from the firewall itself is
> load-balanced without
> a problem. However, ICMP traffic originated at my
> internal network does
> not go through if PF chooses to re-route it through
> the second external
> interface. And I see error messages of the type:
>
> Apr 15 11:43:07 blt-ha /bsd: pf: NAT proxy port
> allocation (50001-65535)
> failed
>
>
> Thanks in advance for any help.
>
> Regards,
>
> Emilio
>
Hi
I have almost the same situation.
>So my questions are:
>
>1. Why the first TCP connection is RST'ed by PF ?
>
>2. Why the second TCP connection is established?
I think that state which is reset is from route-to
rule.In my config below you
can see that connection from rule 20.This rule cause
re-routing. The re-routed
packet then pass out through second external
interface, which also create state.This
is the answer for your 2-nd question.
The SYN_SENT:CLOSED connetion always open time window
for 120 seconds.During this interval
all packets are passed to re-routed interface.
rl0 tcp 192.168.0.11:4898 -> 213.137.58.74:57364 ->
193.110.223.9:6667 SYN_SENT:CLOSED
[789377754 + 2] [0 + 1]
age 00:01:24, expires in 00:00:36, 10:0 pkts, 499:0
bytes, rule 20
id: 4264ea7100010166 creatorid: 95f6c7b3
After those 120 second route-to rule 20 is checked
again.If connection have
enough luck 50/50 ,it will be route to the same
interface for another 120 seconds.
If not match sorry.
During my test also notice that route-to rule creates
10-15x more connection.I forgot make
copy ot this but it looks like
all states on ext_if1 25
all states on ext_if2 31
all state on rule @20 550
pfctl -vvss don't print those fantom states, but pftop
and pfctl -vvsr confirm that states
Every thing work if i use load-balancing incoming
connection on $int_if
Test PC is i386 running OpenBSD 3.6-stable
:pf.conf
ext_if2="rl1"
ext_gw2="192.168.5.1"
ext_ip2="192.168.5.199"
int_if1="xl0"
int_ip1="192.168.0.199"
ext_if1="rl0"
ext_ip1="213.137.58.74"
ext_ip1_2="10.17.2.1"
ext_gw1="213.137.58.100"
set state-policy if-bound
scrub in all
# Translation
# Note: Unlike filter rules, translation rules are
first match
nat on $ext_if1 from !($ext_if1) to 10.0.0.0/8 ->
$ext_ip1_2
nat on $ext_if1 from !($ext_if1) to 213.137.48.0/24 ->
$ext_ip1
nat on $ext_if1 from !($ext_if1) to any -> $ext_ip1
nat on $ext_if2 from !($ext_if2) to any -> $ext_ip2
block in log all label block_in
block out log all label block_out_all
@16 pass out on $ext_if2 proto tcp from any to any
flags S/SA modulate state queue (q_def2,q_pri2)
@17,@18 pass out on $ext_if2 proto { udp, icmp } from
any to any keep state
@19 pass in quick on $ext_if1 reply-to ($ext_if1
$ext_gw1) \
proto icmp from any to any label
"frodo_icmp_in" keep state
@20 pass out quick on $ext_if1 route-to ($ext_if2
$ext_gw2) from any to any keep state probability 50%
@21 pass out on $ext_if1 proto tcp from $ext_ip1 to
any flags S/SA modulate state queue (q_def,q_pri)
@22,@23 pass out on $ext_if1 proto { udp, icmp } from
$ext_ip1 to any keep state
@24 pass out on $ext_if1 proto tcp from $ext_ip1 to
flags S/SA keep state queue free-out
@25 pass out on $ext_if1 inet proto tcp from
$ext_ip1_2 to any modulate state queue free-out label
"10.17.2.1_tcp"
@26,@27 pass out on $ext_if1 proto { icmp, udp } from
$ext_ip1_2 to any keep state queue free-out label
"10.17.2.1_udp"
@28 pass out on $ext_if1 proto udp from $ext_ip1_2 to
10.10.10.11 keep state queue free2speed label
"10.17.2.1_speed"
###
@29 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2)
from $ext_if2 to any
@30,@31 pass out on $ext_if2 route-to ($ext_if1
$ext_gw1) from $ext_if1 to any
@50 pass in quick on $int_if from to any
flags S/SA keep state \
queue (ip1-2, speed) label "redeye"
#output from pftop
tcp In 192.168.0.11:4898 193.110.223.9:6667
4:4 14 86395 18 3891
640 640 277 50
tcp Out 192.168.0.199:22 192.168.0.11:4757
4:4 20 86395 61 6576
254 1208 328 15
icmp In 213.137.58.101:29946 213.137.58.74:29946
0:0 1 9 12 448
448 19
tcp Out 192.168.0.11:4898 193.110.223.9:6667
213.137.58.74:573642:0 14 106 10 499
757535 20
tcp Out 192.168.0.11:4898 193.110.223.9:6667
192.168.5.199:638774:4 6 86395 17 3843
7575 640 16
tcp Out 213.137.58.74:57364 193.110.223.9:6667
192.168.5.199:54699 10:1014
Re: pf, altq shaping question
--- Nikolay Kalev <[EMAIL PROTECTED]> wrote: > Tihomir Koychev wrote: > > >--- Nikolay Kalev <[EMAIL PROTECTED]> wrote: > > > > > >>Can please anyone tell me if this is posible or > not > >>: > >>I have several users behind a firewall + nat and i > >>have to accomplish > >>3 types of shaping per user : > >>local country shape, internet shape, and upload > >>shape > >> Is this posible or not with altq. I know for sure > >>that inbound and > >>outbound can be done but i;m not sure that i can > >>separate 2 diferent > >>tipes of inbound. Please put sum examples if > >>possible. Thanks in > >>advance > >> > >>-- > >>Key fingerprint = 9864 E575 E207 FB90 44C8 26A2 > >>0167 E57E 66ED 0F1D > >> > >> > >> > > > >Yes, you can. > >Just assign queue to you filter rule.upload queue > must > >be assign on your $ext_if. > >example: > > > >table persist file > "/etc/bulgaria.pf" > > > >pass out on $int_if from any to ip.client1 queue > >local_country > >pass out on $int_if from to > ip.client1 > >queue local_country > > > >look at "/usr/share/pf" for examples and > >man 5 pf.conf > > > > > >Unix is very simple, but it takes a genius to > understand the simplicity. > >(Dennis Ritchie) > >Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE > 610E 300D 6655 > > > > > > > >__ > >Do you Yahoo!? > >Plan great trips with Yahoo! Travel: Now over > 17,000 guides! > >http://travel.yahoo.com/p-travelguide > > > > > > > Ok but as soon as i tested it i can;t get one client > to be in 2 diferent > queues for example cbq algoritm one with smaller bw > and one with bigger ? > pass out on $int_if from any to ip.client1 queue small_queue pass out on $int_if from to ip.client1 queue big_queue This two rules are just example.When packet arrive from internet and its distenation is ip.client1 pf evaluate it.1-st rule is allways applied, so this is default rule.2-nd rule is applied only when packets source is within table. Note that "last matching rule win!" again there are queue examples about Boss's and devolopers in \use\share\pf if you want complete pf.conf mail me bye Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Re: pf, altq shaping question
--- Nikolay Kalev <[EMAIL PROTECTED]> wrote: > Can please anyone tell me if this is posible or not > : > I have several users behind a firewall + nat and i > have to accomplish > 3 types of shaping per user : > local country shape, internet shape, and upload > shape > Is this posible or not with altq. I know for sure > that inbound and > outbound can be done but i;m not sure that i can > separate 2 diferent > tipes of inbound. Please put sum examples if > possible. Thanks in > advance > > -- > Key fingerprint = 9864 E575 E207 FB90 44C8 26A2 > 0167 E57E 66ED 0F1D > Yes, you can. Just assign queue to you filter rule.upload queue must be assign on your $ext_if. example: table persist file "/etc/bulgaria.pf" pass out on $int_if from any to ip.client1 queue local_country pass out on $int_if from to ip.client1 queue local_country look at "/usr/share/pf" for examples and man 5 pf.conf Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide
Re: Sample ruleset for dividing LANs
--- Steven Bowers <[EMAIL PROTECTED]> wrote:
> I have a ruleset that is partially working, but
> I've hit a wall
> trying to figure out why a few parts do not work.
> The wifi is intended
> to be a hot-spot here in the apt complex, but I'm
> having trouble
> restricting them to their assigned services and I am
> not 100% certain
> that they do not have access to the wired LAN.
>
> Would someone please look over this ruleset and help
> me understand
> where I went wrong? Any additional comments or ideas
> would be
> appreciated.
>
I can you point where exactly is problem.
>
> ## Macros##
> ## Interfaces##
> ext_if = "fxp0"
> wire_if = "fxp1"
> wlan_if = "fxp2"
>
> external_addr = "x.x.x.x"
> wire_network= "192.168.1.0/24"
> wire_gw = "192.168.1.1/32"
> wlan_network= "192.168.2.0/24"
> wlan_gw = "192.168.2.1/32"
>
> icmp_types= "echoreq"
> nbt = "{ 135, 137 >< 139, 445 }"
> voip_tcp = "5060"
> voip_udp = "{ 5060, 4569, 5036, >< 20001,
> 2727 }"
> wlan_svcs = "{ pop3, ssh, www, https }"
>
> ## Tables##
> # IANA reserved IP blocks as of 4/5/2005
> #
> http://www.completewhois.com/iana-ipv4-addresses.txt
> table persist file "/etc/reserved.txt"
>
> # restrict IP traffic to the wired LAN #
> table const { $wire_if:network,
> 255.255.255.255 }
>
> ## Options#
> set loginterface $ext_if
> set block-policy return
> set optimization normal
> set state-policy if-bound
> set timeout tcp.closed 1
>
> ## Scrub###
> scrub out all no-df random-id max-mss 1440
> scrub in all no-df fragment reassemble min-ttl 2
>
> ## Queueing rules##
> ## to be developed after filtering is functional
>
> ## NAT/RDR Translation#
> nat on $ext_if from $wire_if:network to any ->
> ($ext_if)
> nat on $ext_if from $wlan_if:network to any ->
> ($ext_if)
> rdr on $wire_if proto tcp from any to any port 21 ->
> 127.0.0.1 port 8021
>
> ## Filter rules
> block in log all
>
> ## Pass loopback traffic ##
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> ## drop DSL noise/broadcast packets ##
> block in quick on $ext_if inet from any to {
> 255.255.255.255 }
> block in quick on $ext_if inet from {
> 255.255.255.255 } to any
>
> ## drop TCP non-Syn packets (not-working) ##
> #block return-rst quick inet proto tcp all flags /S
> #block return-rst quick inet proto tcp all flags A/A
>
> ## block SLP multicast (RFC 2608, 2365) ##
> block in quick proto igmp from any to
> 239.255.255.253
> block in quick proto udp from any to 239.255.255.253
> port 427
>
> ## block IGMP multicast (RFC 1112, 2236) ##
> block in quick proto icmp from any to 224.0.0.0/4
>
> ## Block all reserved private IP addresses ##
> block in log quick on $ext_if inet from
> to any
> block in log on $wire_if from {
> !$wire_if:network, } to any
> block in log on $wlan_if from {
> !$wlan_if:network, } to any
>
> ## prevent spoofing from this host ##
> block out log quick on $ext_if from !$ext_if to any
>
> ## prevent spoofing on all interfaces ##
> antispoof log quick for $ext_if inet
> antispoof log quick for $wire_if inet
> antispoof log quick for $wlan_if inet
>
> # block extra DNS replies ##
> block return in on $ext_if inet proto udp from
> port=domain to port=domain
>
> # Block NetBIOS traffic to the local LAN ##
> block in quick on $ext_if inet proto tcp from any
> to any port $nbt
> block out quick on $ext_if inet proto tcp from any
> to any port $nbt
>
> # Restrick SMB traffic to the internal network
> (needs more testing) ##
> block return in log quick on $wire_if proto udp to
> ! port
> {137 139 445 }
> block return in log quick on $wire_if proto tcp to
> ! port
> {137 139 445 }
>
> # block nmap attempts ##
> block in log quick on $ext_if inet proto tcp from
> any to any flags FUP/FUP
> block in log quick on $ext_if inet proto tcp from
> any to any flags SF/SFRA
> block in log quick on $ext_if inet proto tcp from
> any to any flags /SFRA
>
> # block wlan access to wire lan (not working) ##
> #block in all on $wire_if from $wlan_if:network to
> any
>
> # pass SSH traffic ##
> pass in on $ext_if inet proto tcp from any to any
> port 222 flags S/SA keep state
>
> # pass VoIP traffic ##
> pass in on $ext_if inet proto tcp from any to any
> port $voip_tcp
> flags S/SA keep state
> pass out on $ext_if inet proto tcp all flags S/SA
> keep state
> pass in on $ext_if inet proto udp from any to any
> port $voip_udp keep state
> pass out on $ext_if proto udp all keep state
>
Note that above 2 pass out rules are the same as the
last 2 rules.You can remove them.
> # allow internally generated traffic to pass ##
> pass in inet proto icmp all icmp-type $icmp_types
> keep state
> pass in on $wire_if from $wire_if:network to any
> pass out on $wire_if from any to $wire_if:network
> pass in on $wlan_if from $wlan_if:network to any
> pass out on $wlan_if proto { tcp, udp } from any to
> $wlan_i
